Remote deletion of secure element contents

ABSTRACT

A method for transmitting data between a mobile communication device and a server. The method includes running a mobile application on the mobile communication device. The mobile application is hosted on the mobile communication device through the server as a Software as a Service (SaaS). The method further includes transmitting data associated with the mobile application between the mobile communication device and the server, in which transmission of the data between the mobile communication device and the server is monitored through the server.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 11/939,821,filed Nov. 14, 2007, titled METHOD AND SYSTEM FOR SECURING TRANSACTIONSMADE THROUGH A MOBILE COMMUNICATION DEVICE, all of which is incorporatedby reference herein in its entirety.

FIELD OF INVENTION

The present invention relates to data communications and wirelessdevices.

BACKGROUND OF THE INVENTION

Mobile communication devices—e.g., cellular phones, personal digitalassistants, and the like—are increasingly being used to conduct paymenttransactions as described in U.S. patent application Ser. No.11/933,351, entitled “Method and System For Scheduling A BankingTransaction Through A Mobile Communication Device”, and U.S. patentapplication Ser. No. 11/467,441, entitled “Method and Apparatus ForCompleting A Transaction Using A Wireless Mobile Communication Channeland Another Communication Channel, both of which are incorporated hereinby reference. Such payment transactions can include, for example,purchasing goods and/or services, bill payments, and transferring fundsbetween bank accounts. Given the sensitive nature of personal money orbanking data that may be stored on a mobile communication device as aresult of the ability to transact payments, it is critical to protect auser from fraudulent usage due to, e.g., loss or theft of a mobilecommunication device.

BRIEF SUMMARY OF THE INVENTION

In general, in one aspect, this specification describes a method fortransmitting data between a mobile communication device and a server.The method includes running a mobile application on the mobilecommunication device. The mobile application is hosted on the mobilecommunication device through a management server. The method furtherincludes transmitting data associated with the mobile applicationbetween the mobile communication device and the server, in whichtransmission of the data between the mobile communication device and themanagement server is monitored through the management server.

Implementations can include one or more of the following features.Transmitting data can include generating a session key that is onlyvalid for a given communication session between the mobile communicationdevice and the server. The method can further include disabling use ofthe mobile application running on the mobile communication devicethrough the management server by invalidating the session key. Themethod can further include timing out a given communication sessionbetween the mobile communication device and the management server aftera pre-determined amount of time to prevent theft of data that isaccessible through the mobile application. Transmitting data associatedwith the mobile application between the mobile communication device andthe management server can include prompting a user to enter a paymentlimit PIN in response to a pending purchase exceeding a pre-determinedamount. The payment limit PIN can be applied to all purchases globallyor on a per-payment basis. The method can include use of biometrics toauthenticate the user before authorizing the transacation. The mobileapplication can comprise a payment transaction application that permitsa user to perform one or more of the following services including billpayment, fund transfers, or purchases through the mobile communicationdevice. The mobile application can permit a user to subscribe to each ofthe services separately.

The details of one or more implementations are set forth in theaccompanying drawings and the description below. Other features andadvantages will be apparent from the description and drawings, and fromthe claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates one implementation of a block diagram of acommunication system including a wireless mobile communication device.

FIG. 2 illustrates one implementation of the wireless mobilecommunication device of FIG. 1.

FIG. 3 illustrates one implementation of a method for authenticating auser.

FIG. 4 illustrates one implementation of a method for remotely lockinguse of a mobile application on a mobile communication device.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 illustrates one implementation of a communication system 100. Thecommunication system 100 includes a hand-held, wireless mobilecommunication device 102 a point-of-sale device 104 and a remote server106. In one implementation, the mobile communication device 102 includesa mobile application (discussed in greater detail below) that permits auser of the mobile communication device 102 to conduct paymenttransactions. Payment transactions can include, for example, usingcontactless payment technology at a retail merchant point of sale (e.g.,through point of sale device 104), using mobile/internet commerce (e.g.,purchase tickets and products, etc.), storage of payment information andother digital artifacts (receipts, tickets, coupons, etc), storage ofbanking information (payment account numbers, security codes, PIN's,etc.), and accessing banking service (account balance, payment history,bill pay, fund transfer, etc.), and so on.

In one implementation, the mobile application running on the mobilecommunication device 102 implements one or more of the following toolsto secure data that may be stored and presented on the mobilecommunication device 102 as a result of a payment transaction. Themobile application can implemented one the mobile communication device102 through a management server which hosts and operates (eitherindependently or through a third-party) the application for use by itscustomers over the Internet, or other wireless network (e.g., a privatenetwork), or a wired network. In one implementation, customers do notpay for owning the software itself but rather for using the software. Inone implementation, the mobile application is accessible through an APIaccessible over the Web (or other network). The mobile application caninclude a multi-factored PIN-based login and authentication, and includesession keys and have command-level authentication. In oneimplementation, the mobile application running on the mobilecommunication device 102 can be remotely locked through a remote server(e.g., remote server 106). In one implementation, a PIN request can beimplemented to limit the amount of purchases that can be made. Further,security codes for different payment methods can be implemented toprotect a user. Each of these tools is discussed in greater detailbelow.

FIG. 2 illustrates one implementation of the mobile communication device102. The mobile communication device 102 includes a mobile application200 that (in one implementation) is provided to the mobile communicationdevice 102 through a remote server (e.g., remote server 106). In oneimplementation, the mobile application is a Mobile Wallet applicationavailable from Mobile Candy Dish, Inc., of Berkeley, Calif. Providingthe mobile application as a hosted service enables central monitoringand management of all security aspects of the service at the remoteserver. In addition, data (corresponding to a payment transaction) canbe stored on the remote server (e.g., remote server 106 (FIG. 1)) in asecure manner. In one implementation, the remote server is a managementserver that is can be maintained by Mobile Candy Dish or a trusted thirdparty, as described in U.S. patent application Ser. No. 11/933,351. Forexample, the data can be securely stored on the remote server usingconventional PCI guidelines. Hence, in the event the mobilecommunication device 102 is lost (or stolen), no confidential data canbe recovered as no data is stored on the mobile communication device102. In addition, an added benefit is that a user can recover seamlesslyby syncing new mobile communication device (via new installation of themobile application) with the service. Thus, in one implementation,sensitive information (e.g., banking account numbers, credit cardaccount numbers, expiry dates, and so on) are never stored on the mobilecommunication device. This reduces risk and exposure of the user'sprivate information and data.

Client Login and Authentication

In general, while effort is made to minimize storage of sensitive userinformation and data in a memory of a mobile communication device, inone implementation, some data is stored in the memory of a mobilecommunication device due to reasons of performance, usability and userexperience. For example, data may need to be stored on a mobilecommunication device in the following circumstances. Paymentcredentials, coupons, tickets, and so on may have to be stored on thesecure element of an NFC phone. Account balance, banking paymenthistory, etc., may be locally cached on a mobile communication device.In one implementation, a user can opt-in to save payment method securitycodes in the client (or mobile application) for convenience. Ticketsand/or coupons may be locally cached so that a user can redeem thetickets and/or coupons in an offline mode. For example, a mobilecommunication device may be offline in a situation in which networkconnectivity inside a building is degraded, and storing a ticket and/orcoupon in a local cache of the mobile communication device permits theuser to access the ticket or coupon.

In addition to data partitioning, in one implementation, users have anability to subscribe to different services. For example, User A maysubscribe to “Mobile Payments” and “Mobile Banking” services, while UserB may only subscribe to “Mobile Banking” and “What's Nearby” services.Hence, in one implementation, the mobile application includes amechanism to enable/disable different services on the Client based onparticular services to which users are subscribed. Table 1 belowillustrates example services that are enabled/disabled based on usersubscriptions.

TABLE 1 USER SERVICE SUBSCRIPTION STATUS User A Money Manager DisabledUser B Money Manager Transaction Only User C Money Manager Transaction,Payment User D Money Manager Transaction, Payment, BillPay, FundTransferThe above example control access to the Money Manager service and whatprivileges within the service a given user can perform. This will beused by the Client (mobile application) to enable/disable availablefeatures on the Client.

In one implementation, when a user subscribes to a mobile wallet theuser is assigned credentials that include a unique WalletID, SiteKey, auser-defined PIN, as well as tokens that specify access and privilegesfor the different services. FIG. 3 illustrates one implementation of amethod 300 for authenticating a user. User input is received (through amobile communication device) logging into the mobile application service(step 302). In one implementation, when a user attempts to login withthe client, the user is prompted to enter login credentials (e.g.,mobile phone number, 1-time activation code, Wallet PIN, etc.). Asession key is generated (step 304). In one implementation, the sessionkey is a unique server-generated session key that is valid only for theduration of a given session. In one implementation, the session key isused to ensure the server can identify the client and ensure that theclient has been previously authenticated. Upon a successful login, theserver will transfer credentials, service access and privileges (step306), which are locally cached on the mobile communication device. Theservice access and privileges control the behavior of the client. In oneimplementation, to prevent command spoofing, the session key is passedin every API server call. The server will validate (every time) thesession key is valid. If valid, the API server call is processed.Failure to validate the session key will cause a failure. In such acase, the client will flush the cached PIN and force the user tore-authenticate (or re-login).

Remote Lock

In one implementation, a mobile application running on a mobilecommunication device can be remotely locked (or disabled) byinvalidating a session key. Users, via calling a Customer Care, apersonal web portal, or some other mechanism, can implement changes(e.g., change PIN, etc.) that causes the server to invalidate thesession key. In real-time, the next attempt by the client to issue anAPI server call, validation of the session key will fail, which (in oneimplementation) causes the client to automatically flush the cached PINand session key, and force the user to re-authenticate. In addition, theclient can perform additional actions, in addition to flushing thecached PIN and session key. This includes, but is not limited to, one ormore of the following: changing the secure element mode to effectivetemporarily or permanently disable the secure element—i.e., a user canremotely alter the state of the smart chip to lock it remotely; anddeleting all cached data stored in the memory (or disk) of the mobilecommunication device.

Session Time Out

In one implementation, while a client is open, a user has access totransaction data. In such an implementation, users who may misplace amobile communication device while the client is open may expose the userto risk of information theft. Therefore, in one implementation, mobileapplication (or client) shuts down after a period of inactivity.Additional tasks that can be associated with the shutdown procedure caninclude, but is not limited to, temporarily shutting down a secureelement (of the mobile communication device) to prevent NFC payments,NFC coupon redemption, and NFC ticket redemption.

Payment Limit PIN

For payments (mobile commerce ticket purchase, etc.), in oneimplementation a user can prevent either fraudulent purchases oraccidental purchases by forcing a PIN prompt when a purchase amountexceed a user-specified value. In one implementation, a user can controlthis behavior globally (e.g., across all users' payment methods) or on aper-payment-method basis. Thus, when a user purchases ticket and selectsa payment method (to pay for purchase), if the transaction amountexceeds a specified payment method's limit, the client will trigger andprompt for the PIN. In order to proceed with purchase, the user has toenter the correct PIN. The user's input is validated against the cachedPIN on the client. The payment transaction will proceed if validated.Otherwise, an appropriate response is generated to the user.Effectively, this is a mechanism for the user (not the Merchant orIssuing Bank) to throttle/control the dollar amount that can beauthorized for various payments and transactions. In the event of acontactless purchase, the client controls the smart chip. In the eventof an electronic purchase (ticketing, etc.), a server can manages thecontrols.

Local Storage of Payment Security Codes

As a convenience to users, a user can opt-in and have only the securitycodes (CVV, etc.) associated to each of their payment methods locallystores on the client. In one implementation, management tools areprovided to add/delete/edit these security codes. In one implementation,the security codes are encrypted (Key Management of encryption keyperformed by a server) and then only stored in the client on the mobilecommunication device. In one implementation, security codes are notstored in any form on the server. The encryption key and security codescan be kept separately to prevent fraudulent usage.

Although the present invention has been particularly described withreference to implementations discussed above, various changes,modifications and substitutes are can be made. Accordingly, it will beappreciated that in numerous instances some features of the inventioncan be employed without a corresponding use of other features. Further,variations can be made in the number and arrangement of componentsillustrated in the figures discussed above.

1. A method comprising: identifying a secure element coupled to a mobiledevice, the secure element configured to conduct a near fieldcommunication (NFC) transaction with an NFC terminal, the NFC terminaloperable to trigger the secure element using NFC induction, wherein themobile device includes a mobile device memory, a mobile deviceprocessor, and a mobile device transceiver and the secure elementincludes a secure element memory, a secure element processor, and asecure element NFC transceiver; and executing a secure element memorydelete command at a remote server for the mobile application to deletedata maintained in the secure element memory to prevent the secureelement from conducting the NFC transaction with the NFC terminal,wherein the mobile application is preinstalled or downloaded andinstalled by a user on the mobile device.
 2. The method of claim 1,wherein the secure element coupled to the mobile device is temporarilydisabled.
 3. The method of claim 1, the secure element coupled to themobile device is permanently disabled.
 4. The method of claim 1, whereinthe secure element coupled to the mobile device is locked.
 5. The methodof claim 1, wherein data stored in the mobile device memory is deleted.6. The method of claim 1, wherein a session key is a shared key.
 7. Themethod of claim 1, wherein the secure element is permanently embeddedwithin a body of the mobile device.
 8. The method of claim 1, whereinthe secure element is affixed externally to the mobile device.
 9. Themethod of claim 1, wherein the secure element is removably embedded in aslot of the mobile device.
 10. A server comprising: an interfaceconfigured identify a secure element coupled to a mobile device, whereinthe secure element is configured to execute a near field communication(NFC) transaction with an NFC terminal, the NFC terminal operable totrigger the secure element using NFC induction, wherein the mobiledevice includes a mobile device memory, a mobile device processor, and amobile device transceiver and the secure element includes a secureelement memory, a secure element processor, and a secure element NFCtransceiver; and a processor configured to execute a secure elementmemory delete command for the mobile application to delete datamaintained in the secure element memory to prevent the secure elementfrom conducting the NFC transaction with the NFC terminal, wherein themobile application is preinstalled or downloaded and installed by a useron the mobile device.
 11. The server of claim 10, wherein the secureelement coupled to the mobile device is temporarily disabled.
 12. Theserver of claim 10, the secure element coupled to the mobile device ispermanently disabled.
 13. The server of claim 10, wherein the secureelement coupled to the mobile device is locked.
 14. The server of claim10, wherein data stored in the mobile device memory is deleted.
 15. Theserver of claim 10, wherein a session key is a shared key.
 16. Theserver of claim 10, wherein the secure element is permanently embeddedwithin a body of the mobile device.
 17. The server of claim 10, whereinthe secure element is affixed externally to the mobile device.
 18. Theserver of claim 10, wherein the secure element is removably embedded ina slot of the mobile device.
 19. A system comprising: means foridentifying a secure element coupled to a mobile device, the secureelement configured to conduct a near field communication (NFC)transaction with an NFC terminal, the NFC terminal operable to triggerthe secure element using NFC induction, wherein the mobile deviceincludes a mobile device memory, a mobile device processor, and a mobiledevice transceiver and the secure element includes a secure elementmemory, a secure element processor, and a secure element NFCtransceiver; and means for executing a secure element memory deletecommand at a remote server for the mobile application to delete datamaintained in the secure element memory to prevent the secure elementfrom conducting the NFC transaction with the NFC terminal, wherein themobile application is preinstalled or downloaded and installed by a useron the mobile device.
 20. The method of claim 19, wherein the secureelement coupled to the mobile device is temporarily disabled.